summaryrefslogtreecommitdiffstats
path: root/net/tipc
diff options
context:
space:
mode:
authorErik Hugne <erik.hugne@ericsson.com>2013-11-13 09:35:11 +0100
committerDavid S. Miller <davem@davemloft.net>2013-11-15 09:11:06 +0100
commit3db0a197ed86317ab2915bc8bddb91807b0f0e96 (patch)
treec9209a27ba6e8a40665f0a509685854ceba3d63c /net/tipc
parentipv4: fix possible seqlock deadlock (diff)
downloadlinux-3db0a197ed86317ab2915bc8bddb91807b0f0e96.tar.xz
linux-3db0a197ed86317ab2915bc8bddb91807b0f0e96.zip
tipc: fix dereference before check warning
This fixes the following Smatch warning: net/tipc/link.c:2364 tipc_link_recv_fragment() warn: variable dereferenced before check '*head' (see line 2361) A null pointer might be passed to skb_try_coalesce if a malicious sender injects orphan fragments on a link. Signed-off-by: Erik Hugne <erik.hugne@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
-rw-r--r--net/tipc/link.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index cf465d66ccde..69cd9bf3f561 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2358,7 +2358,8 @@ int tipc_link_recv_fragment(struct sk_buff **head, struct sk_buff **tail,
*head = frag;
skb_frag_list_init(*head);
return 0;
- } else if (skb_try_coalesce(*head, frag, &headstolen, &delta)) {
+ } else if (*head &&
+ skb_try_coalesce(*head, frag, &headstolen, &delta)) {
kfree_skb_partial(frag, headstolen);
} else {
if (!*head)